Info Call to XML parsing API

Description

Improper XML parsing could lead to several vulnerabilities which could to arbitrary file access (External XML Entities injection, XML injection) or denial of service (Billion laughs, quadratic blowup).

Recommendation

This entry is informative, no recommendations applicable.

Technical details

Method android.support.v7.widget.ActivityChooserModel$PersistHistoryAsyncTask.doInBackground() calling method android.util.Xml.newSerializer()


    public varargs Void doInBackground(Object[] p14)
    {
        java.util.List v1_1 = ((java.util.List) p14[0]);
        String v3_1 = ((String) p14[1]);
        try {
            java.io.FileOutputStream v5 = this.this$0.mContext.openFileOutput(v3_1, 0);
            String v6_1 = android.util.Xml.newSerializer();
            try {
                v6_1.setOutput(v5, 0);
                v6_1.startDocument("UTF-8", Boolean.valueOf(1));
                v6_1.startTag(0, "historical-records");
                String v7_4 = v1_1.size();
                int v8_4 = 0;
            } catch (java.io.IOException v0_3) {
                this.this$0.mCanReadHistoricalData = 1;
                if (v5 != null) {
                    try {
                        v5.close();
                    } catch (java.io.IOException v2) {
                    }
                }
                throw v0_3;
            } catch (java.io.IOException v0_1) {
                int v8_1 = new StringBuilder();
                v8_1.append("Error writing historical record file: ");
                v8_1.append(this.this$0.mHistoryFileName);
                android.util.Log.e(android.support.v7.widget.ActivityChooserModel.LOG_TAG, v8_1.toString(), v0_1);
                this.this$0.mCanReadHistoricalData = 1;
                if (v5 == null) {
                    return 0;
                } else {
                    v5.close();
                    return 0;
                }
            } catch (java.io.IOException v0_9) {
                int v8_9 = new StringBuilder();
                v8_9.append("Error writing historical record file: ");
                v8_9.append(this.this$0.mHistoryFileName);
                android.util.Log.e(android.support.v7.widget.ActivityChooserModel.LOG_TAG, v8_9.toString(), v0_9);
                this.this$0.mCanReadHistoricalData = 1;
                if (v5 == null) {
                    return 0;
                } else {
                    v5.close();
                    return 0;
                }
            } catch (java.io.IOException v0_7) {
                int v8_6 = new StringBuilder();
                v8_6.append("Error writing historical record file: ");
                v8_6.append(this.this$0.mHistoryFileName);
                android.util.Log.e(android.support.v7.widget.ActivityChooserModel.LOG_TAG, v8_6.toString(), v0_7);
                this.this$0.mCanReadHistoricalData = 1;
                if (v5 == null) {
                    return 0;
                } else {
                    v5.close();
                    return 0;
                }
            } catch (java.io.IOException v0) {
                return 0;
            }
            while (v8_4 < v7_4) {
                android.support.v7.widget.ActivityChooserModel$HistoricalRecord v9_4 = ((android.support.v7.widget.ActivityChooserModel$HistoricalRecord) v1_1.remove(0));
                v6_1.startTag(0, "historical-record");
                v6_1.attribute(0, "activity", v9_4.activity.flattenToString());
                v6_1.attribute(0, "time", String.valueOf(v9_4.time));
                v6_1.attribute(0, "weight", String.valueOf(v9_4.weight));
                v6_1.endTag(0, "historical-record");
                v8_4++;
            }
            v6_1.endTag(0, "historical-records");
            v6_1.endDocument();
            this.this$0.mCanReadHistoricalData = 1;
            if (v5 == null) {
                return 0;
            } else {
                v5.close();
                return 0;
            }
        } catch (java.io.IOException v0_4) {
            String v6_3 = new StringBuilder();
            v6_3.append("Error writing historical record file: ");
            v6_3.append(v3_1);
            android.util.Log.e(android.support.v7.widget.ActivityChooserModel.LOG_TAG, v6_3.toString(), v0_4);
            return 0;
        }
    }

Method com.google.android.exoplayer2.source.dash.manifest.DashManifestParser.parseEventObject() calling method android.util.Xml.newSerializer()


    protected byte[] parseEventObject(org.xmlpull.v1.XmlPullParser p7, java.io.ByteArrayOutputStream p8)
    {
        p8.reset();
        org.xmlpull.v1.XmlSerializer v0 = android.util.Xml.newSerializer();
        v0.setOutput(p8, 0);
        p7.nextToken();
        while (!com.google.android.exoplayer2.util.XmlPullParserUtil.isEndTag(p7, "Event")) {
            int v3_0 = 0;
            switch (p7.getEventType()) {
                case 0:
                    v0.startDocument(0, Boolean.valueOf(0));
                    break;
                case 1:
                    v0.endDocument();
                    break;
                case 2:
                    v0.startTag(p7.getNamespace(), p7.getName());
                    while(true) {
                        String v2_10 = v3_0;
                        if (v2_10 >= p7.getAttributeCount()) {
                            break;
                        }
                        v0.attribute(p7.getAttributeNamespace(v2_10), p7.getAttributeName(v2_10), p7.getAttributeValue(v2_10));
                        v3_0 = (v2_10 + 1);
                    }
                    break;
                case 3:
                    v0.endTag(p7.getNamespace(), p7.getName());
                    break;
                case 4:
                    v0.text(p7.getText());
                    break;
                case 5:
                    v0.cdsect(p7.getText());
                    break;
                case 6:
                    v0.entityRef(p7.getText());
                    break;
                case 7:
                    v0.ignorableWhitespace(p7.getText());
                    break;
                case 8:
                    v0.processingInstruction(p7.getText());
                    break;
                case 9:
                    v0.comment(p7.getText());
                    break;
                case 10:
                    v0.docdecl(p7.getText());
                    break;
                default:
            }
            p7.nextToken();
        }
        v0.flush();
        return p8.toByteArray();
    }